Nearly two weeks ago security researcher Dan Kaminsky, in coordination with US-CERT, announced a critical vulnerability in DNS that could cripple parts of the Internet. At the time of disclosure, Kaminsky refused to provide full details of the vulnerability in hopes that users of DNS would have 30 days to patch their servers. As it turns out, they only got 13 days.

Kaminsky admitted today on a Black Hat webcast that there is now a valid attack in the wild that exploits the DNS vulnerability. The attack is now available as a module for the point and click Metasploit framework making exploitation simple for script kiddies to try and execute.

With the attack in the wild, millions of recursive DNS servers that have not yet been patched for the flaw could be at risk from the cache poisoning attack.

"It doesn't matter who leaked the exploit, we have an actual extant threat to the network and it's a big deal," Kaminsky said. "I don't care who said what when. Now it doesn't matter, what matters is people need to patch. We're in a lot of trouble. This attack is being weaponized out in the field."

Kaminsky admitted that he made an unreasonable request of security researchers to not try and produce exploit code for the vulnerability. He applauded the fact that most of the security community had respected his request.

In terms of how many people have been able to patch for the vulnerability, Kaminsky shared some insights. Based on data from a tool that Kaminsky posted on July 8th, when the first patches for the DNS server were made available, 86 percent of people that came to his site were vulnerable. As of July 24th that number had dropped down to 52 percent.

"52 percent is not perfect and maybe it's not good enough but we had to try," Kaminsky said candidly.

No active exploit?

Kaminsky noted that some organizations might have refused to patch their DNS servers since there was no active exploit and because Kaminsky did not release full details. That excuse no longer exists as the code is in Metasploit today. Metasploit is a freely available tool that allows a researcher to plug in modules that can be used to execute attacks through a simple interface.

Additionally, not all types of DNS servers are at risk. Kaminsky's flaw only affects what is known as recursive DNS servers that provide domain lookup information. Authoritative DNS servers that provide the core DNS infrastructure at VeriSign and large domain vendors like GoDaddy were never at risk.

The patches for the DNS flaw that have been pushed out by multiple vendors including Microsoft, ISC BIND, Cisco and others are not the ultimate solution for the problem that Kaminsky discovered. Kaminsky admitted that DNSSEC is the ultimate solution for the problem. DNSSEC provide additional security extentions to DNS to ensure authenticity.

Joao Damas, senior programming manager at ISC said on the same webcast that the only thing that provides full security for the problem is DNSSEC.

"You should go for the patches first," Damas said. "But after that is done there is a real need to put pressure on for DNSSEC."